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About  This  Document 


About  This  Document 


This  document  is  Volume  6  of  the  OCTAVE-S  Implementation  Guide ,  a  10-volume  handbook 

supporting  the  OCTAVE-S  methodology.  This  volume  provides  worksheets  to  document 

data  related  to  critical  assets  that  are  categorized  as  people. 

The  volumes  in  this  handbook  are 

•  Volume  1:  Introduction  to  OCTAVE-S  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  -  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  -  This  volume  includes  detailed  guidance  for  each 
OCTAVE-S  activity. 

•  Volume  4:  Organizational  Information  Workbook  -  This  volume  provides  worksheets  for 
all  organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 


CMU/SEI-2003-HB-003  Volume  8 


v 


About  This  Document 


OCTAVE-S  V1.0 


vi 


CMU/SEI-2003-HB-003  Volume  8 


OCTAVE-S  V1.0 


Abstract 


Abstract 


The  Operationally  Critical  Threat,  Asset,  and  Vulnerability  EvaluationSM  (OCTAVE®) 
approach  defines  a  risk-based  strategic  assessment  and  planning  technique  for  security. 
OCTAVE  is  a  self-directed  approach,  meaning  that  people  from  an  organization  assume 
responsibility  for  setting  the  organization’s  security  strategy.  OCTAVE-S  is  a  variation  of  the 
approach  tailored  to  the  limited  means  and  unique  constraints  typically  found  in  small 
organizations  (less  than  100  people).  OCTAVE-S  is  led  by  a  small,  interdisciplinary  team 
(three  to  five  people)  of  an  organization’s  personnel  who  gather  and  analyze  information, 
producing  a  protection  strategy  and  mitigation  plans  based  on  the  organization’s  unique 
operational  security  risks.  To  conduct  OCTAVE-S  effectively,  the  team  must  have  broad 
knowledge  of  the  organization’s  business  and  security  processes,  so  it  will  be  able  to  conduct 
all  activities  by  itself. 
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Introduction 


1  Introduction 


This  document  contains  the  Operationally  Critical  Threat,  Asset,  and  Vulnerability  EvaluationSM 
(OCTAVE@)-S  worksheets  related  to  critical  assets  that  are  people.  The  activities  related  to  these 
worksheets  are  focused  on  analyzing  a  critical  asset. 

Table  1  provides  a  brief  introduction  to  the  contents  of  this  workbook,  using  activity  step  numbers 
as  a  key.  For  more  details  about  how  to  complete  each  step,  refer  to  the  OCTAVE® -S  Method 
Guidelines ,  which  can  be  found  in  Volume  3  of  the  OCTAVE® -S  Implementation  Guide. 


Table  1:  Worksheets  Provided  in  This  Workbook 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  6 

Start  a  Critical  Asset  Information 
worksheet  for  each  critical  asset. 
Record  the  name  of  the  critical 
asset  on  its  Critical  Asset 
Information  worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  7 

Record  your  rationale  for 
selecting  each  critical  asset  on 
that  asset’s  Critical  Asset 
Information  worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  8 

Record  a  description  for  each 
critical  asset  on  that  asset’s 

Critical  Asset  Selection 
worksheet.  Consider  who  uses 
each  critical  asset  as  well  as  who 
is  responsible  for  it. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  9 

Record  assets  that  are  related  to 
each  critical  asset  on  that  asset’s 
Critical  Asset  Information 
worksheet.  Refer  to  the  Asset 
Identification  worksheet  to 
determine  which  assets  are  related 
to  each  critical  asset. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

SM  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  is  a  service  mark  of  Carnegie  Mellon 
University. 

®  OCTAVE  is  registered  in  the  United  States  Patent  and  Trademark  Office  by  Carnegie  Mellon 
University. 
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Table  1:  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  10 

Record  the  security  requirements 
for  each  critical  asset  on  that 
asset’s  Critical  Asset  Information 
worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  11 

For  each  critical  asset,  record  the 
most  important  security 
requirement  on  that  asset’s 

Critical  Asset  Information 
worksheet. 

Critical  Asset 
Information 

Phase  1 

Process  S2 

S2.1  Select  Critical  Assets 

5-8 

Step  12 

Complete  all  appropriate  threat 
trees  for  each  critical  asset.  Mark 
each  branch  of  each  tree  for 
which  there  is  a  non-negligible 
possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting 
a  threat  on  any  threat  tree,  review 
the  description  and  examples  of 
that  threat  in  the  Threat 

Translation  Guide. 

Risk  Profile 

Threat 

Translation 

Guide 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 

Critical  Assets 

9-24 

Step  15 

Record  how  often  each  threat  has 
occurred  in  the  past.  Also  record 
how  accurate  you  believe  your 
data  are. 

Risk  Profile 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 

Critical  Assets 

9-24 

Step  16 

Record  areas  of  concern  for  each 
source  of  threat  where 
appropriate.  An  area  of  concern  is 
a  scenario  defining  how  specific 
threats  could  affect  the  critical 

asset. 

Risk  Profile 

Phase  1 

Process  S2 

S2.1  Identify  Threats  to 

Critical  Assets 

9-24 

Step  22 

Using  the  impact  evaluation 
criteria  as  a  guide,  assign  an 
impact  value  (high,  medium,  or 
low)  for  each  active  threat  to  each 
critical  asset. 

Risk  Profile 

Impact 

Evaluation 

Criteria 

Phase  3 

Process  S4 

S4. 1  Evaluate  Impacts  of 
Threats 

9-24 

Step  24 

Using  the  probability  evaluation 
criteria  as  a  guide,  assign  a 
probability  value  (high,  medium, 
or  low)  for  each  active  threat  to 
each  critical  asset.  Document 
your  confidence  level  in  your 
probability  estimate. 

Risk  Profile 

Probability 

Evaluation 

Criteria 

Phase  3 

Process  S4 

S4.3  Evaluate  Probabilities  of 
Threats 

9-24 
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Table  1:  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  26 

Transfer  the  stoplight  status  for 
each  security  practice  area  from 
the  Security  Practices  worksheet 
to  the  “Security  Practice  Areas” 
section  (Step  26)  of  each  critical 
asset’s  Risk  Profile  worksheet. 

Risk  Profile 

Security 

Practices 

Phase  3 

Process  S5 

S5.2  Select  Mitigation 
Approaches 

9-24 

Step  27 

Select  a  mitigation  approach 
(mitigate,  defer,  accept)  for  each 
active  risk. 

For  each  risk  that  you  decided  to 
mitigate,  circle  one  or  more 
security  practice  areas  for  which 
you  intend  to  implement 
mitigation  activities. 

Risk  Profile 

Phase  3 

Process  S5 

S5.2  Select  Mitigation 
Approaches 

9-24 
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Critical  Asset  Information  Worksheet 


2  Critical  Asset  Information  Worksheet  for 
People 


Phase  1 

Process  S2 

Activity  S2.1 

Step  6 

Start  a  Critical  Asset  Information  worksheet  for  each  critical  asset.  Record  the  name  of  the 
critical  asset  on  its  Critical  Asset  Information  worksheet. 

Step  7 


Record  your  rationale  for  selecting  each  critical  asset  on  that  asset’s  Critical  Asset 
Information  worksheet. 


Step  8 


Record  a  description  for  each  critical  asset  on  that  asset’s  Critical  Asset  Selection  worksheet. 
Consider  who  uses  each  critical  asset  as  well  as  who  is  responsible  for  it. 


Record  assets  that  are  related  to  each  critical  asset  on  that  asset’s  Critical  Asset  Information 
worksheet.  Refer  to  the  Asset  Identification  worksheet  to  determine  which  assets  are  related 
to  each  critical  asset. 


Step  9 


Phase  1 
Process  S2 
Activity  S2.2 


Record  the  security  requirements  for  each  critical  asset  on  that  asset’s  Critical  Asset 
Information  worksheet. 


Step  11 


For  each  critical  asset,  record  the  most  important  security  requirement  on  that  asset’s 
Critical  Asset  Information  worksheet. 
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Critical  Asset 


Rationale  for  Selection 


What  is  the  critical  person(s)? 


Why  is  this person(s)  critical  to  the  organization? 


Step  9 


Related  Assets 


Which  assets  are  related  to  this  person(s)? 


Systems:  Information: 


Applications:  Other: 
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Critical  Asset  Information  Worksheet 


Description 

What  special  skills  or  knowledge  are  provided  by  this  person(s)? 
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Risk  Profile  Worksheet  for  People:  Other 


3  Risk  Profile  Worksheet  for  People  -  Other 
Problems 


Phase  1 

Process  S2 

Activity  S2.3 

Step  12 

Complete  the  threat  tree  for  other  problems.  Mark  each  branch  of  each  tree  for  which  there 
is  a  non-negligible  possibility  of  a  threat  to  the  asset. 

If  you  have  difficulty  interpreting  a  threat  on  the  threat  tree,  review  the  description  and 
examples  of  that  threat  in  the  Threat  Translation  Guide  (see  pp.  26-30  of  this  workbook). 

Step  15 


Record  how  often  each  threat  has  occurred  in  the  past.  Also  record  how  accurate  you  believe 
your  data  are. 


Step  16 


Record  areas  of  concern  for  each  source  of  threat  where  appropriate.  An  area  of  concern  is  a 
scenario  defining  how  specific  threats  could  affect  the  critical  asset. 


continued 
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Phase  3 

Process  S4 

Activity  S4.1 

Step  22 

Using  the  impact  evaluation  criteria  as  a  guide,  assign  an  impact  value  (high,  medium,  or 
low)  to  each  active  threat. 

Phase  3 

Process  S4 

Activity  S4.3 

Step  24 

Using  the  probability  evaluation  criteria  as  a  guide,  assign  a  probability  value  (high, 
medium,  or  low)  to  each  active  threat.  Document  your  confidence  level  in  your  probability 
estimate. 

Phase  3 

Process  S5 

Activity  S5.2 

Step  26 

Transfer  the  stoplight  status  for  each  security  practice  area  from  the  Security  Practices 
worksheet  to  the  “Security  Practice  Areas”  section  (Step  26)  of  the  following  worksheet. 

Step  27 


Select  a  mitigation  approach  (mitigate,  defer,  accept)  for  each  active  risk. 

For  each  risk  that  you  decided  to  mitigate,  circle  one  or  more  security  practice  areas  for 
which  you  intend  to  implement  mitigation  activities. 


10 
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|  Other  Problems  |  Basic  Risk  Profile 
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Probability 

How  likely  is  the  threat  to 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 


Value  Confidence 


Security  Practice  Areas 

What  is  the  stoplight  status  for  each  security  practice  area? 


Strategic 


Operational 


o>  a>  a>  a> 

in  in  in  in 


i  ■ 


I  I  [ 

I _ I _ I 


_ 


Approach 

What  is  your 
approach  for 
addressing 
each  risk? 


Q,  , 

«  Ss  .gp 

o  o>  a 

p  S 

□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 
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Other  Problems 


Threat  Context 


Step  15 


History 

How  often  has  this  threat 
occurred  in  the  past? 

How  accurate 
are  the  data? 

disclosure 


key  people  taking  a 

modification 

;  temporary  leave  of 
i  absence  (e.g.,  due  to 
!  illness,  disability) 

loss,  destruction 

interruption 

disclosure 

i  key  people  leaving  the 

modification 

;  organization 

J  permanently 
:  (e.g.,  retirement,  other 

S  opportunities) 

loss,  destruction 

interruption 

disclosure 

j  threats  affecting 

modification 

i . 1 

j  a  third-party  or 
!  service  provider 

loss,  destruction 

interruption 

disclosure 

s 

modification 

loss,  destruction 

interruption 

Very 

Somewhat 

Not  At  All 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

times  in  vears 

□  □  □ 

14 
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Threat  Context 


Other  Problems 
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Step  16 


Other  Problems 


Areas  of  Concern 


People  Taking  a  Temporary  Leave  of  Absence 

Give  examples  of  how  key 
people  taking  a  temporary  leave 
of  absence  could  affect  the 
ability  of  this  person  or  group 
of  people  to  provide  critical 
services,  skills,  and 
knowledge. 

People  Leaving  the  Organization  Permanently 

Give  examples  of  how  key 
people  leaving  the  organization 
permanently  could  affect  the 
ability  of  this  person  or  group 
of  people  to  provide  critical 
services,  skills,  and 
knowledge. 

Threats  Affecting  a  Third-Party 

Give  examples  of  how  threats 
affecting  a  third  party  or  service 
provider  could  affect  the  ability 
of  that  third-party  or  service 
provider  to  provide  critical 
services,  skills,  and 
knowledge. 

i 

Give  examples  of  how 


could  affect  the  ability  of  this 
person  or  group  of  people  to 
provide  critical  services, 
skills,  and  knowledge. 


16 
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Areas  of  Concern 


People  Taking  a  Temporary  Leave  of  Absence 

People  Leaving  the  Organization  Permanently 

Threats  Affecting  a  Third-Party 
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|  Other  Problems  (cont.)  |  Basic  Risk  Profile 
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Probability 

How  likely  is  the  threat  to 
occur  in  the  future?  How 
confident  are  you  in  your 
estimate? 


Value  Confidence 


Security  Practice  Areas 

What  is  the  stoplight  status  for  each  security  practice  area? 


Strategic 


Operational 


o>  a>  a>  a> 

in  in  in  in 


Approach 

What  is  your 
approach  for 
addressing 
each  risk? 


Q,  , 

«  Ss  .gp 

o  o>  a 

p  S 

□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 


□  □  □ 
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disclosure 

j  modification 
"1 

!  loss,  destruction 
i 

i  interruption 

disclosure 

i 

i  modification 

!  loss,  destruction 
i 

j  interruption 

disclosure 
j  modification 

__j - 

j  loss,  destruction 
! 

!  interruption 


History 


How  often  has  this  threat 
occurred  in  the  past? 


_  times  in . 
.  times  in . 
.  times  in . 
.  times  in . 

.  times  in . 
.  times  in . 
.  times  in . 
.  times  in . 

.  times  in . 
.  times  in . 
.  times  in . 
times  in 


How  accurate 
are  the  data? 


□  □ _ □_ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □ _ □_ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □ _ □_ 

□  □ _ □_ 

□  □ _ □_ 

"□  □  □" 


disclosure 

times  in 

_ years 

a 

a 

□ 

modification 

times  in 

_ years 

□ 

□ 

□ 

loss,  destruction 

times  in 

_ years 

□ 

□ 

□ 

interruption 

times  in 

_ years 

□ 

□ 

□ 
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Threat  Context 


Other  Problems  (cont. 
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Step  16 


Other  Problems  (cont.) 


Areas  of  Concern 


Give  examples  of  how 

could  affect  the  ability  of  this 
person  or  group  of  people  to 
provide  critical  services, 
skills,  and  knowledge. 

Give  examples  of  how 

could  affect  the  ability  of  this 
person  or  group  of  people  to 
provide  critical  services, 
skills,  and  knowledge. 

Give  examples  of  how 

could  affect  the  ability  of  this 
person  or  group  of  people  to 
provide  critical  services, 
skills,  and  knowledge. 

Give  examples  of  how 


could  affect  the  ability  of  this 
person  or  group  of  people  to 
provide  critical  services, 
skills,  and  knowledge. 
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Risk  Profile  Worksheet  for  People:  Other 


Areas  of  Concern 
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Threat  Translation  Guide 


4  Threat  Translation  Guide 


Phase  1 

Process  S2 

Activity  S2.3 

Threat 

Translation 

Guide 

The  Threat  Translation  Guide  describes  each  branch  of  an  asset-based  threat  tree.  If  you 
have  difficulty  understanding  the  types  of  threats  represented  by  a  branch,  you  can  use  this 
guide  to  decipher  the  meaning  of  that  branch. 

You  will  find  asset-based  threat  trees  for  the  following  sources  of  threat: 


Source  of  Threat 

Page 

Other  problems 

26-30 
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Other  Problems 


Asset  Actor  Outcome 


key  people  taking  a 

j~  temporary  leave  of 
j  absence  (e.g.,  due  to 
!  illness,  disability) 


disclosure 


modification 


loss,  destruction 


interruption 


disclosure 


i  key  people  leaving  the 

f"  organization  permanently 
j  (e.g.,  retirement,  other 
!  opportunities) 


i  modification 
| - 

;  loss,  destruction 


interruption 


*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Description  Example* 

— 

— 

— 

— 

— 

— 

A  staff  member(s)  with  unique  knowledge  or  a  unique  skill 
takes  a  temporary  leave  of  absence  from  an  organization. 

The  organization  does  not  have  any  other  staff  members 
with  comparable  skills,  resulting  in  an  interruption  of  access 
to  the  unique  knowledge  or  skill. 

A  key  member  of  the  IT  group  in  a  small  organization  takes 
a  leave  of  absence  to  care  for  an  ill  family  member.  This 
member  of  the  IT  staff  is  responsible  for  maintaining  a 
legacy  order  entry  system.  No  other  staff  members  know 
how  to  maintain  the  system.  The  organization  has  a 
temporary  interruption  of  access  to  a  vital  skill  that  is 
important  to  its  business  operations. 

— 

— 

— 

— 

— 

“““ 

A  staff  member(s)  with  unique  knowledge  or  a  unique  skill 
leaves  an  organization  permanently.  The  organization  does 
not  have  any  other  staff  members  with  comparable  skills, 
resulting  in  an  interruption  of  access  to  the  unique 
knowledge  or  skill  until  a  replacement  if  hired. 

A  clerk  is  responsible  for  entering  data  into  a  database 
system.  The  clerk,  who  is  currently  the  only  one  at  the 
company  who  understands  how  to  use  the  system, 
unexpectedly  leaves  for  a  better  position  at  another 
company.  The  organization  no  longer  has  access  to  a  skill 
that  is  important  to  its  business  operations  until  a 
replacement  is  hired  and  trained. 
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Other  Problems 


Actor 

Outcome 

disclosure 

threats  affecting 

i 

i 

i 

i 

j  modification 

a  third-party  or 
service  provider 

i 

i 

i 

i  loss,  destruction 
r . 

i 

| 

i 

i 

i 

i 

j 

j 

j 

j 

| 

j 

;  interruption 

disclosure 

r 

i 

j 

!  modification 

. L . 

i 

i 

i 

j  loss,  destruction 

i- . 

! 

i 

i  . 

;  interruption 

*  Blank  lines  indicate  unusual  or  extremely  rare  possibilities. 
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Threat  Translation  Guide 


Description  Example* 


— 

— 

— 

— 

— 

— 

An  organization  depends  on  a  third  party  for  a  particular 
service.  Any  threats  to  the  third  party  that  prevents  them 
from  fulfilling  their  obligations  results  in  an  interruption  of 
service  to  the  organization. 

A  service  provider  maintains  the  computing  infrastructure 
for  a  manufacturing  company.  A  shop  floor  scheduling 
system  is  physically  located  at  the  service  provider’ s  site.  A 
disgruntled  staff  member  employed  by  the  service  provider 
plants  a  software  “time  bomb”  that  takes  down  the  service 
provider’s  networks  for  several  days.  The  manufacturing 
site’s  access  to  the  shop  floor  scheduling  system  is 
interrupted  until  the  service  provider  can  get  its 
infrastructure  running  again. 
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